Use of Hard-coded Cryptographic Key| ID: 321 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The use of a hard-coded cryptographic key significantly
increases the possibility that encrypted data may be
recovered.
Likelihood of Exploit: High
Applicable PlatformsLanguage Class: All
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Bypass protection
mechanismGain privileges / assume
identity | If hard-coded cryptographic keys are used, it is almost certain that
malicious users will gain access through the account in question. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Prevention schemes mirror that of hard-coded password storage. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-321 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code examples attempt to verify a password using a
hard-coded cryptographic key. The cryptographic key is within a hard-coded
string value that is compared to the password and a true or false value is
returned for verification that the password is equivalent to the hard-coded
cryptographic key. (Demonstrative Example Id DX-92)
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| CLASP | | Use of hard-coded cryptographic key | |
| OWASP Top Ten 2007 | A8 | Insecure Cryptographic Storage | CWE_More_Specific |
| OWASP Top Ten 2007 | A9 | Insecure Communications | CWE_More_Specific |
| OWASP Top Ten 2004 | A8 | Insecure Storage | CWE_More_Specific |
References:None
